Azure storage account cross-tenant object replication was enabled

Cortex XSIAM Analytics Alert Reference by Alert name

Product: Cortex XSIAM
Last date published: 2025-04-07
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: Azure Audit Log
Detection Modules	Cloud
Detector Tags
ATT&CK Tactic	Exfiltration (TA0010)
ATT&CK Technique	Transfer Data to Cloud Account (T1537)
Severity	Informational

Description

Azure cross-tenant object replication in a storage account was enabled.

Attacker's Goals

Enable unauthorized data transfer to an external or attacker-controlled environment.
Establish a persistent channel for ongoing data exfiltration.
Conceal malicious activity by utilizing legitimate cross-tenant object replication functionality.

Investigative actions

Confirm that the identity intended to enable cross-tenant replication.
Follow further actions done by the identity.
Monitor the storage account for other suspicious activities.

Variations

Azure storage account cross-tenant object replication was enabled for the first time in a subscription

Synopsis

ATT&CK Tactic	Exfiltration (TA0010)
ATT&CK Technique	Transfer Data to Cloud Account (T1537)
Severity	Low

Description

Azure cross-tenant object replication in a storage account was enabled for the first time in a subscription.

Attacker's Goals

Enable unauthorized data transfer to an external or attacker-controlled environment.
Establish a persistent channel for ongoing data exfiltration.
Conceal malicious activity by utilizing legitimate cross-tenant object replication functionality.

Investigative actions

Confirm that the identity intended to enable cross-tenant replication.
Follow further actions done by the identity.
Monitor the storage account for other suspicious activities.